135,000 Exposed OpenClaw Instances: Why Managed Hosting Is a Security Decision

In February 2026, two security events changed the conversation around OpenClaw deployment forever.

First, SecurityScorecard's STRIKE team discovered over 135,000 OpenClaw instances exposed to the public internet — gateways running on default ports with no authentication, accessible to anyone with a port scanner.

Second, the ClawHavoc supply chain attack planted 1,184 malicious skills in OpenClaw's ClawHub marketplace — roughly one in five packages in the ecosystem. These skills targeted agents' persistent memory files, silently rewriting behavioral instructions to alter how agents operate long after installation.

Microsoft's security team responded with a stark recommendation: OpenClaw "should be treated as untrusted code execution with persistent credentials" and should be deployed "only in a fully isolated environment."

If you're running OpenClaw for your business, this isn't theoretical. Let's break down the real risks and what to do about them.

Risk 1: Exposed Gateways

The 135,000 figure comes from a simple reality: OpenClaw's default configuration binds to 0.0.0.0 (all interfaces) on a predictable port. Most self-hosting tutorials don't mention firewall configuration. Most developers deploying their first agent skip the step.

An exposed gateway means:

• Anyone can send messages to your agent — triggering actions, reading responses
• Agent credentials are accessible — API keys, email access, calendar permissions
• Memory files are readable — every conversation, every preference, every stored secret

At ClawPort, gateways bind to 127.0.0.1 exclusively. Traffic reaches them only through our authenticated reverse proxy. The gateway port is never exposed to the internet — not by default, not by accident, not ever.

Risk 2: Persistent Credentials

An OpenClaw agent is fundamentally different from a chatbot. It holds persistent credentials for real systems: your email, your calendar, your file storage, your CRM. Those credentials sit in configuration files on disk, readable by the OpenClaw process.

On a self-hosted VPS, anyone who gains SSH access — through a weak password, an unpatched vulnerability, or a compromised dependency — gets every credential the agent has.

ClawPort's approach: Each tenant gets their own Docker container with its own isolated filesystem. Credentials are injected at deploy time and never written to shared storage. Container-to-container traffic is blocked at the Docker network level. Even if one tenant's agent is compromised, there's no lateral movement to another tenant's data.

Risk 3: Supply Chain Attacks (ClawHavoc)

The ClawHavoc attack was sophisticated. Attackers didn't just plant malicious code — they targeted memory files. OpenClaw stores long-term behavioral instructions in Markdown files that the agent reads on every interaction. A malicious skill modifies these files once, then the modification persists forever, even after the skill is removed.

In a multi-agent deployment, this is catastrophic. One poisoned agent passes tainted outputs to every downstream agent in the pipeline.

What managed hosting can do: ClawPort monitors container behavior and provides isolated skill environments. But more importantly, the per-function deployment model (one agent per business task) means a compromised customer support agent can't access your sales pipeline agent's credentials or memory.

Risk 4: No Update Discipline

OpenClaw releases security patches regularly. Self-hosted instances need manual updates — or a carefully configured Watchtower setup. Most don't get either.

ClawPort runs Watchtower in monitor mode for all tenant containers. When a security update is available, we coordinate the rollout. No tenant action required.

The Checklist: Self-Hosting Safely

If you're committed to self-hosting, here's the minimum security configuration:

1. Bind to 127.0.0.1, never 0.0.0.0
2. Put a reverse proxy (nginx/Caddy) with SSL in front of the gateway
3. Set a gateway token — OPENCLAW_GATEWAY_TOKEN must be set for any network-accessible deployment
4. Configure UFW — only ports 22, 80, 443 should be open
5. Enable automatic security updates — unattended-upgrades on Ubuntu
6. Use Docker with memory limits and network isolation
7. Back up memory files — if they're corrupted, you need clean copies
8. Monitor ClawHub skills — audit every skill before installation, review the source code
9. Set up log monitoring — watch for unexpected outbound connections
10. Keep credentials rotated — API keys should have expiration dates

That's 10 ongoing responsibilities. Miss one, and you're part of the 135,000.

Or Skip the Checklist

ClawPort handles all 10 by default. Every gateway binds to localhost. Every tenant runs in an isolated Docker container. Every connection is SSL-terminated through Cloudflare. UFW is configured. Updates are monitored. Backups run nightly.

$10/month. That's less than one hour of an engineer's time per year.

The question isn't whether managed hosting is worth it. The question is whether your security posture is worth the risk of doing it yourself.

---

Deploy a secured OpenClaw agent in 60 seconds. Get started — every security best practice is configured out of the box.